待办大师

This skill appears to be a local Python CLI that stores todos in a SQLite DB and does not attempt network access or request secrets — that's good. However: - The included TECH_SPEC/INTRO docs describe a JSON-monthly-file storage model while the script implements SQLite; ask the publisher which storage format is authoritative or assume the implementation (todo.py) is the source of truth. Stale or mismatched docs are a sign to be cautious. - During first run you must explicitly confirm the data directory. Do NOT accept the default unless you want data written inside the skill's installation directory. Prefer specifying an absolute path under your home directory (e.g., /home/you/.local/share/todo-skill or C:\Users\You\todo-data) to avoid permission surprises and accidental writes to system locations. - Inspect scripts/todo.py yourself (or run it in an isolated environment/container) before giving it persistent access. The code included appears to only read/write local files and use SQLite, but you should verify no unexpected network or shell execution calls exist in the full file. - Make backups of any existing data you care about before running init or migrations (the script can migrate legacy JSON data into SQLite and could change file formats). If you need absolute confidence, ask the publisher to clarify the storage design (JSON files vs SQLite) and provide a signed release or more detailed changelog; otherwise run in a sandboxed environment and point the tool at a safe absolute data directory.